#7: I've noticed most LDAP connectors determine group membership by running additional queries after the user login query. This is pretty inefficient. Group membership can be inferred by simply parsing the memberOf property that comes with the login query (This is not standard on all LDAP servers, but tends to be on AD servers by default).

#8: You probably don't want to query the LDAP server repeated for the same user logins. You can cache the credentials locally, and allow for much more responsive logins. The TTL setting allows you to fine tune how long to keep these cached credentials.